Eric,
I already answered E. Alaknantha with a code snippet answering his question, sorry I forgot to CC the entire list so everyone would know... It realy would be nice if folks just followed up privately to off topic posts. -rick (cc'ing the list so eveyone knows the way) On 20 Dec 2001, Eric Rescorla wrote: > This really isn't the right forum for this question. Surely > there is a JSSE mailing list. > > That said... > > "E Alaknantha" <[EMAIL PROTECTED]> writes: > > I am working with JSSE for SSL communications. I am facing some > > problems in doing the mutual authentication with the server certificates > > exported to the PFX format. > > > > I am doing a mutual authentication by intiialising the keystores with > > the PFX file and the truststores with the DER file all in the PKCS12 > > type. > > But only one side authentication is happening. The client does not send > > its public certificate to the server and hence getting a null > > certificate received exception. > > > > It would be greatly helpful if I could get some suggestions on this > > fronts. First of all I want to confirm if the PKCS12 form supports > > mutual authentication. > Let's take a step back. > > PKCS12/PFX is just a carrier for keying material. It doesn't > support or not support mutual authentication. If both sides > have suitable keying material than mutual authentication is > posssible. Otherwise it is not. > > The way that authentication works with SSL/TLS is that you have > required server auth but optional client auth. [0] The server > automatically sends its certificate. If the server wants to > authenticate the client it sends a CertificateRequest message > containing a list of suitable CAs. If the client has a suitable > certificate it sends that, otherwise it sends an empty certificate > message or an alert indicating that it won't client authenticate. > > Most SSL implementations do not ask for client authentication by > default. Have you set the configuration flag that tells JSSE > to do so? > > -Ekr > > [0] There are actually anonymous modes where neither server or > client authenticates but these are very rarely used. > > -- > [Eric Rescorla [EMAIL PROTECTED]] > Author of "SSL and TLS: Designing and Building Secure Systems" > http://www.rtfm.com/ >
